Masquerade's hook_init has an incompatibility with Pressflow in that it initializes a $_SESSION for every pageload whether this is necessary or not:

/**
 * Implementation of hook_init().
 */
function masquerade_init() {
  global $user;

  // load from table uid + session id
  $uid = db_result(db_query("SELECT uid_from FROM {masquerade} WHERE sid = '%s' AND uid_as = %d", session_id(), $user->uid));
  // using if so that we get unset rather than false if not masqing
  if ($uid) {
    $_SESSION['masquerading'] = $uid;
  }
  else {
    $_SESSION['masquerading'] = null;
  }
}

I believe the fix is as simple as changing the else statement to be like:

  elseif (isset($_SESSION['masquerading'])) {
    $_SESSION['masquerading'] = NULL;
  }

Patch is attached.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mrfelton’s picture

Lets get this committed!

deekayen’s picture

Version: 6.x-1.4 » 6.x-1.x-dev
Status: Active » Fixed

Committed to DRUPAL-6--1. HEAD and DRUPAL-5 do this process differently, so I didn't apply it there.

deviantintegral’s picture

Status: Fixed » Patch (to be ported)

Just to confirm, this is a duplicate of #705858: Don't create session var when not masqerading?

Marking as to be ported to remind myself to double check this against HEAD.

claudiu.cristea’s picture

Assigned: joshk » claudiu.cristea
Category: feature » bug
Status: Patch (to be ported) » Active

Right now, with the code from DRUPAL-6--1 when we masquerade as Anonymous (UID = 0) we are loosing the source user in $_SESSION['masquerade'] because the code from hook_init() triggers only when user_is_logged_in().

claudiu.cristea’s picture

Status: Active » Needs review
FileSize
5.25 KB

Here's a patch that strips out session variable $_SESSION['masquerading'] when the current user is not masque (not set through Masquerade). The result is that when not masquerading there will be no $_SESSION['masquerading'] variable.

When masquerading there will be a $_SESSION['masquerading'] variable even if masquerading as Anonymous. And this is the right behavior even on Pressflow.

Modified also all occurrences of $_SESSION['masquerading'] to make the code PHP 5.3 safe.

deekayen’s picture

Status: Needs review » Needs work

Isn't it safe to unset something that's not set? Can if (isset($_SESSION['masquerading'])) { be removed in the init()?

deekayen’s picture

Status: Needs work » Closed (duplicate)

There are more subscribers on the older issue: #705858: Don't create session var when not masqerading